Principal Application Security Engineer

Who We AreJoin a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for nine consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.

What We DoWe are seeking a highly skilled and experienced Principal Application Security Engineer to join our team. The Principal Application Security Engineer will play a pivotal role in ensuring the security and integrity of our applications. The ideal candidate will possess extensive knowledge of application security, strong analytical skills, and a proactive approach to identifying and mitigating security risks using modern tools and frameworks.

What You'll Do

• Application Security Strategy: Develop, implement, and maintain a comprehensive application security strategy that aligns with the company's business goals and regulatory requirements, utilizing industry-leading tools.
• Security Assessments: Conduct thorough security assessments, including static and dynamic application security testing (SAST/DAST), penetration testing, and code reviews using tools like Veracode and Burp Suite to identify vulnerabilities in our applications. Collaborate with development teams to remediate identified issues.
• Risk Management: Proactively identify and assess security risks associated with applications and systems. Develop and implement risk mitigation strategies to address identified vulnerabilities, ensuring compliance with frameworks such as OWASP, NIST, and ISO 27001.
• Secure Software Development Lifecycle (SDLC): Integrate security best practices into the software development lifecycle. Provide guidance and training to development teams on secure coding practices, security testing methodologies, and the use of development tools such as GitHub and Jenkins for continuous integration and deployment.
• Incident Response: Lead and coordinate incident response efforts related to application security breaches. Conduct root cause analysis and implement corrective actions to prevent future incidents.
• Security Tools and Technologies: Evaluate, implement, and manage security tools and technologies to enhance the security posture of our applications. Stay updated on the latest security trends, emerging threats, and advancements in security technologies.
• Compliance: Ensure compliance with industry standards, regulatory requirements, and internal security policies, including PCI-DSS and SOC 2. Prepare and maintain documentation to support audits and assessments.
• Collaboration: Work closely with cross-functional teams, including development, operations, and compliance, to ensure security requirements are integrated into all phases of the application lifecycle.
• Mentorship: Provide mentorship and guidance to junior members of the security team. Foster a culture of security awareness and continuous improvement within the organization.

What You'll Bring

Required Education, Experience, Certification/Licensure

• Education: Bachelor's or Master's degree in Computer Science, Information Security, or a related field.
• Experience: Minimum of 8-10 years of experience in application security or a related field, with a proven track record of securing complex applications in a fintech environment.
• Certifications: Relevant certifications such as CISSP, CEH, OSCP, or CSSLP are highly desirable.
• Technical Expertise: In-depth knowledge of application security principles, secure coding practices, and security testing methodologies, including proficiency with tools like Veracode, Burp Suite, and development environments like GitHub and Jenkins.
• Analytical Skills: Strong analytical and problem-solving skills, with the ability to identify and mitigate security risks effectively.
• Communication: Excellent verbal and written communication skills, with the ability to convey complex security concepts to both technical and non-technical stakeholders.
• Leadership: Proven leadership experience, with the ability to lead and coordinate security initiatives across multiple teams.
• Adaptability: Ability to adapt to a fast-paced and dynamic environment, with a strong focus on delivering results.
• Collaboration: Strong interpersonal skills, with the ability to build effective working relationships with cross-functional teams.

Salary Range: $166,800.00 - $222,300.00

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting.  Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location

What We OfferBy choice, we don’t simply accept individuality – we embrace it, we support it, and we thrive on it! Our People First Culture celebrates diversity, equity and inclusion not simply because it’s the right thing to do, but also because it’s the key to our success. We are proud to foster an authentic and inclusive workplace For All. You are free and encouraged to bring your entire, unique self to work. First American is an equal opportunity employer in every sense of the term.

** Note that the following statements only apply to candidates who will be working from an unincorporated area within Los Angeles County. **

First American will consider for employment all qualified applicants, including those with arrest or conviction records, in a manner consistent with the requirements of applicable state and local laws (e.g., the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act).

First American intends to conduct a review of an applicant’s criminal history in connection with a conditional offer. First American reasonably believes that a criminal history may have a direct, adverse and negative relationship with the following material job duties for this position potentially resulting in the withdrawal of the conditional offer of employment: handling of confidential, proprietary or trade secret information belonging to First American or its customers, administrating or facilitating financial transactions, and the ability to meet customer-imposed criminal history requirements.

Based on eligibility, First American offers a comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave and other great benefits like an employee stock purchase plan.